Techniques and countermeasures of TCP/IP OS fingerprinting on Linux Systems

Abstract

Port scanning is the first activity an attacker pursues when attempting to compromise a target system on a network. The aim is to gather information that will result in identifying one or more vulnerabilities in that system. For example, network ports that are open can reveal which applications and services are running on the system. How a port responds when probed with data can reveal which protocol the port utilises and can also reveal which implementation of that protocol is being employed. One of the most valuable pieces of information to be gained via scanning and probing techniques is the operating system that is installed on the target. This technique is called operating system fingerprinting. The purpose of this research is to alert computer users of the dangers of port scanning, probing, and operating system fingerprinting by exposing these techniques and advising the users on which preventative countermeasures to take against them. Analysis is performed on the Transmission Control Protocol (TCP), User Datagram Protocol (UDP), Internet Protocol (IPv4 and IPv6), and the Internet Control Message Protocol (ICMPv4 and ICMPv6). All the software used in this project is free and open source. The operating system used for testing is Linux (2.4 and 2.6 kernels). Scanning, probing, and detection techniques are investigated in the context of the Network Mapper and Xprobe2 tools.